- Learn the basics of hexedit, scalpel and foremost
- Recovery and Carve files using forensics tools
- Any Linux distro
- scalpel, foremost and hexedit installed
File carving is a process used in computer forensics to extract data from a disk drive or other storage device without the assistance of the file system that originality created the file. It is a method that recovers files at unallocated space without any file information and is used to recover data and execute a digital forensic investigation. It also called “carving,” which is a general term for extracting structured data out of raw data, based on format specific characteristics present in the structured data.
File carving works only on raw data on the media and it is not connected with file system structure. File carving doesn’t care about any file systems which is used for storing files[.]In the FAT file system for example, when a file is deleted, the file’s directory entry is changed to unallocated space. The first character of the filename is replaced with a marker, but the file data itself is left unchanged. Until it’s overwritten, the data is still present.
mkdir forensic
cd /forensic/dd if=/dev/zero bs=1M count=100 of=/forensic/disk.imglosetup /dev/loop0 /forensic/disk.img mkfs.ext4 /dev/loop0losetup -d /dev/loop0file /forensic/disk.imgmkdir /mnt/disk/mount -o loop /forensic/disk.img /mnt/disk/cd /mnt/disk/
curl -0 https://www.photos-public-domain.com/wp-content/uploads/2017/12/gray-cat-with-green-eyes.jpg --output cat-0.jpg
curl -0 https://www.photos-public-domain.com/wp-content/uploads/2012/10/orange-and-white-cat-in-window-sill.jpg --output cat-1.jpg
curl -0 https://www.photos-public-domain.com/wp-content/uploads/2012/04/funny-cat-hanging-upside-down-on-kitty-tree.jpg --output cat-2.jpgls -li /mnt/disk/*.jpgstat /mnt/disk/*.jpgrm -rf /mnt/disk/*.jpg
syncstat /mnt/disk/*.jpgcd /forensic
umount /mnt/diskmkdir /forensic/case && cd /forensic/case
- hexedit - view and edit files in hexadecimal or in ASCII
sudo apt-get install hexedit -yhexedit /forensic/disk.img F1: help
F2: save
F3: load file
Ctrl-Z: suspend
Ctrl-X: save and exit
Ctrl-C: exit without saving
Ctrl-U: undo all
Ctrl-S: search forwardCtrl-S
Hexa string to search: ffd8ffe1--- disk.img --0x840C00/0x6400000--------------------------------------------------------------------echo "ibase=16;0840C00" |
8653824
hexedit /forensic/disk.imgCtrl-S
Hexa string to search: ffd9--- disk.img --0x85CCCD/0x6400000--------------------------------------------------------------------echo "ibase=16;85CCCD" | bc8768717
dd if=/forensic/disk.img of=/forensic/case/001.jpg skip=8653824 bs=1 count=8768717xdg-open 001.jpg
cp /etc/scalpel.conf /forensic/case/vim scalpel.confscalpel -c scalpel.conf /forensic/disk.imgls -R /forensic/case/scalpel-output//forensic/case/scalpel-output/:
audit.txt jpg-6-0 rpm-41-0 tif-9-0
/forensic/case/scalpel-output/jpg-6-0:
00000000.jpg 00000001.jpg 00000002.jpg
/forensic/case/scalpel-output/rpm-41-0:
00000006.rpm 00000007.rpm 00000008.rpm 00000009.rpm 00000010.rpm 00000011.rpm 00000012.rpm 00000013.rpm 00000014.rpm 00000015.rpm 00000016.rpm 00000017.rpm 00000018.rpm 00000019.rpm 00000020.rpm
/forensic/case/scalpel-output/tif-9-0:
00000003.tif 00000004.tif 00000005.tif- foremost - Recover files using their headers, footers, and data structures
sudo apt-get install foremost -ycd /forensic/case/ foremost -t jpg -o foremost-output /forensic/disk.imgls -lR foremost-output/foremost-output/:
total 8
-rw-r--r--. 1 root root 817 Jun 27 10:11 audit.txt
drwxr-xr--. 2 root root 4096 Jun 27 10:11 jpg
foremost-output/jpg:
total 440
-rw-r--r--. 1 root root 114895 Jun 27 10:11 00016902.jpg
-rw-r--r--. 1 root root 132203 Jun 27 10:11 00017128.jpg
-rw-r--r--. 1 root root 195148 Jun 27 10:11 00017388.jpg